IN THE CLAIMS 



1 . (Currently Amended) A method of authenticating a client, the method 
comprising in an authentication server: 

receiving a record ID for a user, the record ID being a random number r e cord I D 
generated for tracking authentication data and disassociating the authentication data 
from other client identity data , and a one-time key generated by a third party server and 
encrypted with a user's public key by the server; 

receiving the user's authentication data from the client; 

determining if the user's authentication data matches the record ID; and 

if so, decrypting the one-time key with the user's private key, and returning the 
decrypted one-time key to the client. 

2. (Currently Amended) The method of claim 1 , further comprising 
registering the user with the authentication server, registering comprising: 

receiving a registration authentication data from the user; 
generating a random public key/private key pair for the user; 
generating the random number as the record ID for the user; and 
associating the authentication data and the private key with the record ID. 

3. (Original) The method of claim 2, further comprising: 
sending the record ID and the public key to the user. 

4. (Previously Presented) The method of claim 2 further comprising 
establishing a secure connection between the authentication server and the user, prior 
to receiving registration authentication data. 
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5. (Previously Presented) The method of claim 1 , wherein a web page 
presented by the third party server to the client prompts the user to enter the 
authentication data to log in to the server. 

6. (Original) The method of claim 5, wherein the client's authentication data 
is automatically redirected to the authentication server. 

7. (Original) The method of claim 1 , wherein the authentication data is 
biometric data. 

8. (Original) The method of claim 1 , wherein the authentication data is 
personal data selected from among the following: a password, a smart card, and 
another type of authentication card. 

9. (Previously Presented) The method of claim 1 , wherein the client 
forwards the decrypted one-time key to the third party server, thereby authenticating the 
user as the owner of the private key. 

1 0. (Previously Presented) A method of claim 1 , further comprising discarding 
the received record ID after returning the one-time key to the user. 

1 1 . (Original) The method of claim 1 , wherein the record ID and the encrypted 
one-time key are further encrypted using a partner key, the method further comprising 
decrypting the record ID and encrypted one-time key using the partner key. 
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1 2. (Original) The method of claim 1 1 , wherein the partner is a symmetric key 
set up during registration of the partner. 

13. (Original) The method of claim 1 1 , wherein the partner key is a private 
key of the authentication server. 

14. (Currently Amended) A method of using an authentication server to 
authenticate a user to a third party server, the method comprising the third party server: 

looking up a r a ndom record ID associated with the user, the random record ID 
being a random number generated to track the user's authentication data and used to 
separate the user's other identity information from the authentication data; 

generating a one-time key and encrypting the one-time key with a public key of 
the user, and sending the encrypted one-time key and the record ID to the user; 

receiving the authentication data, the authentication data being the decrypted 
one-time key decrypted with the user's private key by the authentication server, such 
that the user does not have control of the user's private key at any time; and 

permitting access to the server. 

15. (Original) The method of claim 14, comprising: 
determining an authentication policy associated with the user; and 
verifying that the authentication policy has been satisfied, prior to permitting 

access to the server. 

1 6. (Original) The method of claim 1 5, wherein verifying that the 
authentication policy has|been satisfied comprises: 

determining if thelerver should verify additional data; and 
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if so, requesting additional data from the user prior to generating the one-time 

key. 

1 7. (Currently Amended) A third-party authentication system comprising: 
an authentication server to receive a record ID for a user, the record ID being a 

randomly generated number used to separate the user's other identity information from 
the user's authentication data A and a one-time key generated by a third party server and 
encrypted with a user's public key by the third party server; 

a comparison logic in the authentication server to receive the user authentication 
data from the client and determine whether the user's authentication data matches the 
record ID; and 

a decryption logic in the authentication server to decrypt the one-time key with a 
private key associated with the validated record ID, and to return the decrypted one- 
time key to the client. 

18. (Previously Presented) The system of claim 17, further comprising: 
a policy validation logic to receive a policy from the third party server, and 

determine if the policy has been fulfilled; and 

the decryption logic to decrypt the one-time key only if the policy has been 
fulfilled. 

1 9. (Original) The system of claim 1 7, further comprising: 

a nonce generation logic to generate a nonce, the nonce to be included with the 
user authentication data from the client; and 

the comparison logic to verify that the user authentication data includes the 
appropriate nonce. 
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20. (Original) The system of claim 17, further comprising a client registration 
logic to register the user, the client registration logic comprising: 

a key generation logic to generate a random public key/private key pair for the 

user; 

a record ID generation logic to generate a random record ID for the user; and 
the client registration logic to associate user authentication data with the private 
key and the record ID. 

21 . (Original) The system of claim 1 8, further comprising: 
the interface to send the record ID and the public key to the user. 

22. (Original) The system of claim 19, wherein the interface establish a 
secure connection with the user, prior to receiving registration authentication data. 

23. (Original) The system of claim 17, wherein a web page presented by the 
server to the client prompts the user to enter the authentication data to log in to the 
server. 

24. (Original) The system of claim 23, wherein the client's authentication data 
is automatically redirected to the authentication server. 

25. (Original) The system of claim 17, wherein the authentication data is 
biometric data. 
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26. (Original) The system of claim 17, wherein the authentication data is 
personal data selected from among the following: a password, a smart card, and 
another type of authentication card. 

27. (Original) The system of claim 1 7, wherein the client forwards the 
decrypted one-time key to the server, thereby authenticating the user as the owner of 
the private key. 

28. (Previously Presented) The system of claim 17, further comprising a 
security mechanism to discard the received record ID after returning the one-time key to 
the user. 

29. (Original) The system of claim 17, wherein the decryption logic further 
decrypts the record ID and the encrypted one-time key with a partner key. 

30. (Original) The system of claim 29, wherein the partner key is a symmetric 
key set up during registration of the partner. 

31 . (Original) The system of claim 29, wherein the partner key is a private key 
of the authentication server. 
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